Open aputtu opened 11 months ago
Thanks, valid points and suggestions. The validation on the form page is pure HTML5 using regular expression patterns, which makes it unrealistic to cover all corners for complete verification. E.g. checking for dictionary words or simple patterns like 12345678 will generally need the python backend. The input errors come from our standard safeinput validation helpers, which are unaware of the specific context.
In short, polish is possible but not trivial.
Bug report in internal ticket #33041 points out that "<>" characters likely are using wrong encoding. The characters gets displayed incorrectly, when a password containing a non-allowed character gets rejected; displaying the allowed characters.
True, everything in that string currently gets html-encoded to prevent illegal characters being injected in our html and potentially causing XSS attack vectors. Not sure how much work it would require to only encode the actual invalid char(s).
Some issues in user experience when setting password at https://sid.erda.dk/cgi-sid/reqoid.py :
The error message:
Steps to reproduce re: invalid characters:**
Steps to reproduce re: weak password
Suggestions for improving user experience:
Make error message more readable if user somehow still slips by check; e.g.:
We allow the following characters: a-z, A-Z, 0-9 and -_#.,:;!@%/()[]{}+=?<>